• by Kean Graham , Columnist, May 22, 2018

The day is almost here, and ad technology-affected companies are scrambling to become compliant by May 25. The General Data Protection Regulation (GDPR) was introduced almost two years ago. Publishers have already seen emails from several ad networks requiring them to agree to their new data policies. Many of the ad networks are still not sure how they will become compliant by tokenizing the data of each EU user that doesn’t opt into sharing their data.

This is where it gets interesting though. For the EU users that do not opt into sharing their data, that means advertisers cannot target them via cookie data. Most people in ad tech know that “cookied” users are worth much more than non-cookied users. Non-cookied users today get dramatically lower participation rates on header bidding than cookied users. Publishers with high percentages of EU users will get hit hard on the revenue side for this reason. There’s no surprise in any of those predictions.

So who is left to target these EU users? Which advertisers will bid on these EU users that do not want to share their data? The simpler advertisers are left; they only target publishers directly, do contextual targeting or geo-targeting. These advertisers are licking their lips because their EU targeting is going to become significantly cheaper. The advertisers that are most excited about this new regulation are malvertisers. All the black hat advertisers that are responsible for mobile re-directs, spyware and unexpected pop-ups will be the ones who benefit the most out of this new regulation.

Malvertisers will now be able to target non-opted-in EU users for so much cheaper now that the majority of the advertisers will not be targeting this cookie-free traffic. In essence, their return on investment of running these black hat campaigns will skyrocket. What does this mean for users who don’t opt into sharing their data? They can expect a spike in malvertising, namely mobile re-directs. Publishers should expect a spike in complaints of malvertising, angry EU audiences and perhaps a small jump in EU bounce rates.

Malvertisers do not care about precise targeting. They are simply looking for high ROI volume to push their spyware, pop-ups and/or mobile re-directs. Mobile re-directs are the most common, and they push the majority of users to popular app downloads without an initiated click. This earns the malvertisers affiliate commission with campaigns that get close to 100% CTR since they are automatically re-directed to the app page. They were already getting very high ROI. With cheaper CPMs in the EU, they will be able to get much higher profit margins which increases their incentive to be more aggressive.

We are all working hard in the ad tech industry to eliminate malvertising. Unfortunately, it’s a difficult arms race against some brilliant hackers. It’s an ongoing battle, and malvertising is still rampant. 

I hope that this will only accelerate the development of innovations to block malvertising. The overall intent of GDPR has its merit; however, we all must be conscious of the potential consequences. So far, companies like The Media Trust and GeoEdge can only detect malvertising after the damage is done. Some companies have been able to build proprietary safe frames that proactively block mobile re-directs. This type of suppression tech should be targeted to EU non-opted-in traffic because they will become a target after May 25. Publishers and ad tech partners should take similar proactive measures.